Clients side address of some site cannot visit internal network that after NAT Server

Publication Date:  2012-11-28 Views:  251 Downloads:  0
Issue Description
Firewall Configuration
nat server zone untrust global 211.139.144.X inside 172.30.10.6 vrrp 190
nat server zone untrust global 211.139.144.X inside 172.30.10.17 vrrp 190
Problem failure;
Some users normally access NAT SERVER internal server, some users can not access:
Such as: 125.88.XX normal access, 211.139.XX: can not access
Alarm Information
NULL
Handling Process
1. Normal and abnormal session table displayed on Firewall, it found the abnormal session table state is 0x51, that is state after receipt of the syn.
tcp  (vpn: public -> public)
zone: untrust -> trust  tag: 0x4000258c  State: 0x51--------------------state is 0x51, that is state after receipt of the syn
ttl: 00:00:05  left: 00:00:05  Id: fde51d8  SlvId: 11026418
Interface: E2  Nexthop: 172.30.6.12  Mac: 00-00-5e-00-01-14
<-- packets:1 bytes:60   --> packets:0 bytes:0
The normal state is 53:
tcp  (vpn: public -> public)
zone: untrust -> trust  tag: 0x4000258c  State: 0x53-------normal session state is for 53,it means TCP state for establishing
ttl: 00:20:00  left: 00:20:00  Id: 2fd100b0  SlvId: 2eadec60
Interface: E2  Nexthop: 172.30.6.12  Mac: 00-00-5e-00-01-14
<-- packets:1011 bytes:374582   --> packets:1053 bytes:149191  211.139.144.204:7890[172.30.10.69:7890]<--125.88.6.162:3222

2. According to the session table pointer, relatively normal session table and abnormal session table contents are the same and found no abnormalities.
3. According acl debugging, and found no firewall packet loss
Protocol(TCP) SourceIp(211.139.164.197) DestinationIp(211.139.144.201) 
SourcePort(50118) DestinationPort(7890) VpnIndex(public) 
           Receive           Forward           Discard 
Obverse : 2          pkt(s) 2          pkt(s) 0          pkt(s)  
Reverse : 0          pkt(s) 0          pkt(s) 0          pkt(s)
Discard detail information:

4. It doubt that the inconsistencies of path caused the problem. Close the state detection on master and backup device, the problem remain.
5. Capture packet on firewall internal network interface to confirm whether the it received the back packet. It found that one physical interface of eth-trunk is down. After replace the optical module, the 2 addresses is normal.
Root Cause
Firewall and switch configuration for speed 1000, led to that one side down another side up, so one side sending packet cannot be received.
Suggestions
It should consider whether the physical interface is normal for eth-trunk port, while a deep understanding of the meaning of speed 1000, full duplex are needed.

END